During the last two decades, an explosion of global, interactive, online computing, including, but not limited to, e-commerce, entertainment and research, has greatly increased the communications between and among people and computer systems in almost all parts of the world. With this advent, there has also been an explosion of people and computer systems disclosing, receiving and managing Personally Identifiable Information (PII). Moreover, with the growth and expansion of cloud computing, PII stored away from one's personal computer has become a norm. This growth of the use of PII has caused great concern among both the private sector and government alike. For example, the Ponemon Institute conducts independent research on privacy, data protection and information security policy with the goal to enable organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations.
In response to the dangers involved with people and computer systems disclosing, receiving and managing PII, governmental jurisdictions, including countries and states, have created privacy laws to protect individuals within their jurisdictions. For example, in the United States, the following federal laws have been created to protect PII (certain laws are identified by acronym):                COPPA—protects PII for children online.        TCPA and TSR—protect PII used in telemarketing.        CAN SPAM—protects PII used in email marketing.        Gramm-Leach-Bliley Act—protects PII used with financial transactions.        PCI—protects PII used in payment card transactions.        FCRA—protects PII used in credit checks and credit reports.        Patriot Act—allows the federal government to access PII to obstruct terrorism.        HIPAA—protects PII used in healthcare.        Cable Act—protects PII regarding a person's viewing habits.        Privacy Act—protects one from the government's use of PII.        VRPA—protects PII regarding a person's video rental habits.        DPPA—protects PII regarding a person's driving records.Various states in the United States have created the following laws to protect PII:        Many states have unfair and deceptive trade practices laws known as “Baby FTC Acts” that provide similar protection to the acts created by the FTC.        Notice of security breach acts require an entity to notify consumers when their PII has been or may have been breached.        General data security/data destruction acts protect accidental or illegal use of PII.        Many state laws protect PII used in telemarketing.        Many state laws protect PII relating to employment and employees.        The California Online Privacy Protection Act prevents operators of commercial websites and online services from mishandling PII        The California “Shine the Light” Act limits how PII may be used for marketing, or “list brokerage”.        Many state laws protect the use of social security numbers.        Many state laws protect PII used in pharmaceutical drug transactions.        Many state laws protect PII used in financial transactions.        Many state laws protect PII by limiting the use of spyware.        
In the European Union (EU), there is no single law protecting PII. However, generally, EU laws apply to all forms of data processing, including storing data. Databases must typically be registered with national data protection authorities in various countries. EU Model Clauses have been developed to restrict the use and the geographic location of data and are required for non-EU hosting. Individuals have the right to access and correct their personal data. Handlers of data have certain technical requirements to fulfill security obligations, and sensitive data, such as PII, is subject to additional restrictions.
While many other countries have similar protections to those provided in the United States and in Europe, many countries or other jurisdictions have privacy rules under consideration and not yet implemented or none at all.
Certain inventions have attempted to handle the management of PII. For example, U.S. Pat. No. 7,069,427 to Adler, et al. for “Using a Rules Model to Improve the Handling of Personally Identifiable Information” issued Jun. 27, 2006 relates to a system and method for handling personally identifiable information using a rules model. This patent involves defining a limited number of privacy-related actions regarding personally identifiable information, constructing a rule for each circumstance in which one of said privacy-related actions may be taken or must be taken, allowing for the input of dynamic contextual information to precisely specify the condition for evaluation of a rule, creating a programming object containing at least one of said rules, associating the programming object with personally identifiable information, processing a request, and providing an output. This invention specifies additional actions that must be taken, such as 1) authorizing a privacy-related action; 2) authorizing a privacy-related action plus specifying more tasks; or 3) denying a request but also suggesting what must be done to have said request approved. The concept of an empty form for gathering data under a specified policy, and a filled form for representing the gathered data along with the policy, are used when describing data actions. The rules model is based on the following limited set of privacy-related actions: access, disclose, release, notify, utilize, update, withdraw consent, give consent, delete, anonymize, depersonalize, and repersonalize.
U.S. Pat. No. 7,533,113 to Haddad for “System and Method for Implementing Privacy Preferences and Rules within an E-Business Data Warehouse” issued May 12, 2009 relates to a computer implemented method of and apparatus for collecting and managing customer related information within an E-Business customer relationship management system. The customer relationship management system includes a database in which customer-related information, as well as privacy policy and privacy consent information governing the collection and use of customer related information, is stored and organized. The database includes tables containing privacy consent default values for customers of the E-Business retailer and high-level privacy consent values selected by the customers, specific privacy consent values selected by the customers for a plurality of privacy categories defined by the Platform for Privacy Preference (P3P), and privacy consent values selected by the customers for different customer addresses. In the situation where customers or potential customers include minor children, the database includes a database table containing parental privacy consent values for said children under thirteen years of age. The design supports four levels of privacy granularity, which can be used independently or in a complimentary fashion.
U.S. Pat. No. 7,603,317 to Adler, et al. for “Using a Privacy Agreement Framework to Improve Handling of Personally Identifiable Information” issued Jan. 16, 2003 relates to identifying the parties involved in a process of handling personally identifiable information, identifying the data involved in said process, classifying the data, expressing each relationship between each pair of said parties in terms of a privacy agreement, and representing the parties, data, and privacy agreements graphically in one or more privacy agreement relationship diagrams. Privacy agreements are based on a limited set of privacy-related actions: access, disclose, release, notify, utilize, update, withdrawConsent, giveConsent, delete, anonymize, depersonalize, and repersonalize.
U.S. Pat. No. 7,962,962 to Adler, et al. for “Using an Object Model to Improve Handling of Personally Identifiable Information” issued Jun. 14, 2011 relates to methods and systems for handling PII by “(1) providing in a computer a first set of object classes representing active entities in an information-handling process, wherein a limited number of privacy-related actions represent operations performed on data; (2) providing in the computer a second set of object classes representing data and rules in the information-handling process, wherein at least one object class has rules associated with data; and (3) handling transactions involving personally identifiable information, using the computer and object classes.”
Although handling PII between parties and systems has been addressed in the prior art, the prior art has not addressed handling PII in a globally compliant manner across and within governmental or defined synthetic jurisdictions without violating the privacy laws or rules of the involved jurisdictions. Accordingly, it would be desirable to create systems and methods to protect individuals by having information personally protected and subject to the rules of their own jurisdiction and by having that same protected information properly disseminated in jurisdictions with less stringent, more stringent or different privacy rules.